On 5 March 2021, the Federal Data Protection and Information Commissioner (FDPIC) published a short position paper on the revised Swiss Data Protection Act (revDPA). The position paper provides guidance for companies that are subject to the revDPA as to how to meet its requirements once it enters into force, which is expected to be in the second half of 2022 after the Federal Administration has completed drafting the associated implementing ordinances.
On February 10, 2021, the Council of the European Union (which includes representatives of the European Union (EU) member states, hereinafter Council) reached an agreement on the ePrivacy Regulation proposal that governs the protection of privacy and confidentiality of electronic communications services (ePrivacy Regulation).
The first draft of the ePrivacy Regulation was approved by the European Commission in 2017 and has since been under discussion in the Council. The current agreement in the Council comes shortly after Portugal took over the Council presidency (on January 1, 2021) and released a revised draft of the ePrivacy Regulation (on January 5), which was the 14th draft including the original EU Commission proposal. The present agreement is therefore a breakthrough in the negotiation process and allows the Portuguese Council presidency to start negotiations with the European Parliament on the final text.
Released on February 1, the Financial Industry Regulatory Authority (FINRA) 2021 Report on its Examination and Risk Monitoring Program (Report) provides a roadmap for member firms to use to prepare for examinations and to review and assess compliance and supervisory procedures related to business practices, compliance, and operations. The Report replaces two of FINRA’s prior annual publications: (1) the Report on Examination Findings and Observations, which provided an analysis of prior examination results, and (2) the Risk Monitoring and Examination Program Priorities Letter, which highlighted areas FINRA planned to review in the coming year.
On December 18, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPR) regarding a proposal to impose on banks1 and money service businesses (MSBs) new recordkeeping, reporting, and identity verification requirements in relation to certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (legal tender digital assets or LTDA)2 if the counterparty to the transaction does not have an account with, including a digital asset wallet hosted by, a financial institution regulated under the U.S. Bank Secrecy Act (BSA) or certain foreign financial institutions not located in designated problematic jurisdictions. If adopted, the proposed rule will impose significant new burdens only on banks and MSBs involved in digital asset businesses and undercut the role of U.S. institutions in digital asset economies, including in the growing area of “decentralized finance.” The NPR proposes to exclude broker-dealers, futures commission merchants, and mutual funds, among others that are subject to the BSA from these new reporting requirements, but specifically requests the industry’s comment on whether these types of institutions should also be included within the scope of the rule.
Affected institutions will have very limited time to assess and comment on the NPR, as the comment period closes on January 4, 2021, notwithstanding two intervening federal holidays.
On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).1 The NPR is a joint proposal by the Office of the Comptroller (OCC), the Board of Governors of the Federal Reserve System (Board), and the FDIC.
The EU Dual-Use Regulation regulates exports outside the EU, transfers inside the EU, transit through the EU and the brokering of certain sensitive goods, services, software and technology (referred to as “items”) that are considered “dual-use.” Dual-use items have both military and civil applications. The EU has updated its export control rules for dual-use items to (1) take account of Brexit, (2) ensure consistency with recent developments in international non-proliferation regimes and export control arrangements, and (3) address cyber-surveillance and other security threats stemming from new technologies, reinforce cooperation among competent EU authorities, and impose enhanced compliance obligations (including a requirement to adopt internal compliance programs) on businesses. These updates, which are addressed in turn, will have significant implications for businesses dealing in dual-use items.
On December 10, 2020, the California Attorney General (“AG”) proposed additional edits to the CCPA Regulations. These changes both build upon the updates that were proposed on October 12, 2020, and add some new content. All of the newly proposed changes relate to the right to opt-out of the sale of personal information. For a summary of all changes proposed on October 12, 2020, please see our post here.
*This article originally appeared the Daily Journal on November 20, 2020
The passage of Proposition 24, the California Privacy Rights Act (CPRA), amends 2018’s California Consumer Privacy Act (CCPA) by creating the nation’s first data privacy enforcement agency and expanding consumers’ rights with respect to their personal information. In this article, Sheri Porath Rockwell and Alexis Miller Buese highlight some of the significant features of the CPRA that are likely to impact consumers and businesses alike.
On November 2, 2020, Singapore’s legislature finally approved amendments to the Personal Data Protection Act (PDPA). The changes become law once a government gazette is passed (possibly before the end of 2020). If you operate in Singapore, handle Singapore data, or maintain a server in Singapore, it is crucial that you have protocols in place to guide employees on what to do when a data breach occurs and consider doing a data breach tabletop exercise. (We have organized a number of these drills for clients in preparation for breach notification requirements in Australia and now Singapore.) (more…)
The European Commission (EC), on 12 November 2020, published a draft decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final decision